Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User Accessed Suspicious URL Categories

Back
Idfb0f4a93-d8ad-4b54-9931-85bdb7550f90
RulenameUser Accessed Suspicious URL Categories
DescriptionCreates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1566
T1071
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
Version1.0.5
Arm templatefb0f4a93-d8ad-4b54-9931-85bdb7550f90.json
Deploy To Azure
SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: cs_userdn
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: c_ip
    identifier: Address
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
severity: Medium
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1566
- T1071
status: Available
tactics:
- InitialAccess
- CommandAndControl
name: User Accessed Suspicious URL Categories
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
version: 1.0.5
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "properties": {
        "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90",
        "customDetails": null,
        "description": "'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'\n",
        "displayName": "User Accessed Suspicious URL Categories",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "cs_userdn",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "c_ip",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml",
        "query": "SymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1071",
          "T1566"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}